Re: [WIRELESS-LAN] Recent Radius Meltdowns
> On 10 Mar 2016, at 22:36, Curtis K. Larsen <curtis.k.lar...@utah.edu> wrote: > > About a year and a half ago I did pretty exhaustive testing of RADIUS load > with the Spirent > traffic generator and with the assistance of PacketFence developers. > (PacketFence is also based > on FreeRADIUS). They suggested we tweak the MaxConcurrentAPI setting on our > test AD server. So > we did, but unfortunately it seemed to make no difference at all in the > number of authentications > per second we could process from the load generator. > > One thing we found though was that if we ran the authentications against a > flat file on the RADIUS > server itself we could process six times more authentications. The bottom > line is that whether it > is SAMBA, NTLM, AD, or network latency itself I can't say - but I do know > that if I eliminate all > of them performance increases dramatically. > > Bottom line: Use EAP-TLS, and avoid checking LDAP/AD except when absolutely > necessary. PEAP is > vulnerable to fake AP/MITM attacks anyway. PEAP and TTLS are both horrifically insecure. I have a presentation on it coming up, i'll post the video when it's complete. The OSX/IOS/Windows supplicants are all vulnerable to bid down attacks when there's no wireless profile for the network. The server can request EAP-TTLS and they'll happily oblige, meaning you don't even need to crack the DES keys in MSCHAPv2. > > If you must check AD all the time - get a lot of servers, load balance them, > monitor and graph > authentications down to the second. That way you'll be more likely to > identify the cause of an > issue. It doesn't help that FreeRADIUS's processing model is synchronous. We're looking at fixing that, but after considering all the options it really looks like the only model we can adopt is using our own stack. That means adapting the current unlang interpreter to provide coroutine like behaviour, and reworking function calls in any module that performs blocking I/O. It's not trivial, not sponsored, and there's only two full time developers so it's going to take a while. -Arran Arran Cudbard-Bell <a.cudba...@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [WIRELESS-LAN] Apple OSX 10.11 beta
> On Aug 11, 2015, at 1:37 AM, Jason Cookwrote: > > Thanks for all the responses on this. Upgrade worked a treat. > > Was a better response than vendor support but to be fair we hadn’t logged one > with freeradius And you wouldn't need to of, as we had stable versions with the MPPE calculation issues fixed prior to the release of iOS9. We've known about it for the past six months: https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/doc/ChangeLog#L56 Prior to any of the attention it got due to iOS9/Google/Android/Marshmallow. The later fix for EAP-TTLS was due to some (mostly) duplicate code missed in the first round of patches. EAP-TLS and PEAP have worked fine since 2.2.7. The reason why you see an Access-Accept and the same unencrypted portion is because they are the same. What differs is the method used to derive the session keys returned to the NAS in the MPPE Key attributes. TLS 1.2 uses a different method to TLS < 1.2. As a result of that change the server and the supplicant were deriving different values for the encryption keys used for WPA/WPA2 and that was causing the session to fail. In the case of Radiator, it was the crypto library that had not been updated to use the new method of key derivation. The reason why the final release of iOS9 worked, was because Apple discovered the compatibility issues and disabled TLS 1.2 Google also discovered the compatibility issues, but decided that they hated their users and did not disable TLS 1.2. Result here: https://code.google.com/p/android/issues/detail?id=188867 -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [WIRELESS-LAN] 802.1X and Heartbleed...
On 15 Apr 2014, at 21:55, Jason Watts jwa...@pratt.edu wrote: Thanks for the clarification. FreeRADIUS 2.2.5 and 3.0.3 will contain heartbleed attack detection code which will not only prevent an attack, but also produce explicit log output indicating it was attempted. It has been confirmed that versions 2.2.5 and 3.0.3 are vulnerable when linked against a vulnerable version of libssl. Note: Even when updating to FreeRADIUS 2.2.5 and 3.0.3 if client libraries are linked against a vulnerable version of libssl, the server will be vulnerable to attack from compromised LDAP/SQL/HTTP servers if TLS is used to secure the connection. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [WIRELESS-LAN] 802.1x vs web-portal
On 19 Nov 2013, at 21:00, Ken LeCompte lecom...@oit.rutgers.edu wrote: One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. A workaround for some devices would be to to add a WISPr responder to the portal. It will work will all recent iOS and OSX devices, some Windows Phones, and Windows 8/8.1. http://msdn.microsoft.com/en-us/library/windows/hardware/dn408675.aspx There is no perfect solution to portal redirection, but WISPr does seem a good way forward. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Multithreaded krb5 module for FreeRADIUS 2.x
Hi Aaron, Sorry for the late reponse to this thread (I'm catching up on backlogged mail). I'm not sure if you got any volunteers, but we'd be very interested in testing this out (with MIT krb5 at least). Thanks for doing this work. Hi Shumon, Because no one responded on the FreeRADIUS lists either. I merged the new code over to the Master branch and junked the copy that worked with 2.x.x. You're welcome to try out the multithreaded version on master, but your config may need some modifications. There's still a bit more work to do so we can re-use contexts between requests, instead of cloning a master context and then freeing it after were done. But I wanted confirmation that the current code actually worked before I spent more time on it. -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius
Hi, It is an exceptionally bad idea to do what you're proposing, as it prevents local users from verifying their eduroam configuration actually works at your site before roaming to other sites. Yes, you can display a test page, but then you have to make sure that every user sets the priority of the SSIDs correctly so that your local SSID has a higher precedence, else every time they reconnect to wireless they'll get the test page. Many universities have transitioned to a single eduroam SSID which serves both local and remote users. They then assign different VLANs or wireless profiles dynamically based on where the user is authenticating from. This is, IMHO, far easier to support, and far better for the students/staff using the service. The only argument i've heard against eduroam as the primary SSID is that it reduces awareness of the university brand. -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Multithreaded krb5 module for FreeRADIUS 2.x
(apologies for those on netman, this should have gone to wireless-lan originally) Hi All, A while back there was some discussion about the current krb5 module in FreeRADIUS being single threaded, and that it may no longer be necessary for it to be single threaded. It transpires that both MIT and Heimdal libraries are now thread safe, MIT since either 1.4.x or 1.4.4 (unsure) and Heimdal since around 0.7 (documentation is fuzzy). I can't test beyond compiling the code against the kerberos library, and maybe setting up a test KDC/TGS. But for this to be put into the stable branch it really needs to be tested under load, against a range of keberos implementations. Were looking for volunteers, preferably a mix of deployments using either MIT or Heimdal. The new module should just drop in for any v2.1.x deployment once compiled, as it doesn't use any new core API functions. Change list: * Both - Check that krb5 library was compiled with threading support on startup. * Both - Clone context on each request to ensure thread safety. * Both - Move service principal parsing so it's done at intialisation only (instead of on every request). * Both - Improved return codes, will now reflect revoked access/password expiry (USERLOCK), Uknown client principal (NOTFOUND), as well as bad password (REJECT), and other errors (FAIL). Before the module returned REJECT for almost everything. * Both - Mark module as thread safe, config check safe (will be validated on -C), and hup safe (config will be reloaded on SIGHUP) * Both - Switch more messages to use RDEBUG so they'll be printed in conditional debug (useful for production servers with radmin enabled). * MIT - Move service principal string to service principal conversion so that it's done at initialisation only (instead of on every request). * MIT - Move options configuration so they're done at initialisation only (instead of on every request). * MIT - Switch to using krb5_get_init_creds_password and krb5_verify_init_creds to validate TGT instead of old twisty logic. * MIT - Cache option removed as krb5_verify_init_creds disables the replay cache on its own. For those wanting to test: git clone g...@github.com:arr2036/freeradius-server.git cd freeradius-server git checkout threaded_krb5 Report issues on: http://bugs.freeradius.org, and send feedback to either the list or me directly. Thanks, Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x Wireless Printers- revisited
On 12 Dec 2012, at 15:43, Lee H Badman lhbad...@syr.edu wrote: Has been a while: What wireless printers have you found that successfully work on 802.1x based wireless networks- particularly using MS-CHAPv2/PEAP, WPA2, and AD back-end (as if the printer was just another host on the secure network). If the reason why you're asking is because you've had issues with the above setup, and you happen to be using HP printers. The supplicant on HP printers before firmware releases in 2011 would not work correctly if using PEAP with the inner tunnel terminating on FreeRADIUS, because HP had misimplemented the draft specification, and included full EAP headers in the inner tunnel, when they were meant to send cut down EAP headers. Newer firmware for HP printers should contain the fix. If you're not using HP printers then apologies for the noise. -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x Wireless Printers- revisited
On 13 Dec 2012, at 16:08, phanset phan...@utk.edu wrote: Has been a while: What wireless printers have you found that successfully work on 802.1x based wireless networks- particularly using MS-CHAPv2/PEAP, WPA2, and AD back-end (as if the printer was just another host on the secure network). If the reason why you're asking is because you've had issues with the above setup, and you happen to be using HP printers. The supplicant on HP printers before firmware releases in 2011 would not work correctly if using PEAP with the inner tunnel terminating on FreeRADIUS, Arran, Is this problem just with FreeRADIUS or should it be with all flavors of RADIUS like RADIATOR, Microsoft IAS NPS, CISCO ACS ISE, Juniper Steel-Belted? The original implementation was known to work with Microsoft IAS at least (and most likely NPS). For the others the only way to know would be to test. -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam technical questions
The problem comes in implementing the ban. Some institutions allow an anonymous outer identity for the EAP tunnel, which, so long as it contains enough information for routing can contain an arbitrary user id. You ban one and the user can just change it and still get access. You never get to see the inner id unless the homeserver has been configured to send it back in the Access-Accept. The best solution is to contact the home institution directly and get their guys to ban the user. This will be easier once more institutions have adopted CUI as then there'll be a definitive linking value between a user and a session. Even without CUI it should still be possible to figure out the inner ID using timestamps and attributes included in the authentication request(s), it's just harder to automate the process. If you're using FreeRADIUS you might want to take a look at the example CUI configurations, and implement them at the same time as the your eduroam service. -Arran Ah. You clever fella. Thanks for turning on the light. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C [phan...@utk.edu] Sent: Tuesday, November 13, 2012 10:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eduroam technical questions Lee, Your campus only terminates EAP sessions for YOUR users. For visitors, you take the initial TLS negotiation (with the outer tunnel identity e.g. lhbad...@syr.edu, or anonym...@syr.edu, or @syr.edu ) and you pass it to the top level. You never deal with the EAP-type for visitors. In your RADIUS server you basically have a switch: pass to top level OR terminate locally. Take a look at some config examples: http://www.eduroamus.org/radius_configuration Philippe On Nov 13, 2012, at 10:12 AM, Lee H Badman lhbad...@syr.edu wrote: Thanks, Phillipe- I'm talking more from supplicant config side. So we use Xpressconnect to configure our supplicants to only use MS-CHAPv2 /PEAP while disabling the other EAP types, and in RADIUS only have this single EAP type enabled. So if our Eduraom SSID required this EAP type, and someone showed up and hit our EDUROAAM with their supplicant configured for EAP-TLS for EDUROAM, a reconfiguration would be required, no? Or am I really missing something important? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C [phan...@utk.edu] Sent: Tuesday, November 13, 2012 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eduroam technical questions Lee, eduroam is EAP agnostic. All that the roaming does is pass the initial SSL/TLS tunnel to the home institution. Then in the tunnel, exchanges occur between your device and your home institution So, as long as your institution does a tunneled EAP, your are done. The visited institution has nothing to do with oyur EAP -method. EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work Philippe On Nov 13, 2012, at 9:52 AM, Lee H Badman lhbad...@syr.edu wrote: I have read through the most recent docs, not quite grasping: - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to use, does that exclude us from Eduroam? - If not, what happens when I roam to another campus that uses TLS, or visa versa? The goal is autoconnection, with no reconfig, but is everyone on Eduroam really and truly using the same EAP with no need to reconfigure as you roam campus to campus? Sorry to be thick, I realize a lot of time went in to the documents. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam technical questions
On 14 Nov 2012, at 18:24, Lee H Badman lhbad...@syr.edu wrote: Can always block MAC on WLAN too. Simple, nuclear, elegant. And completely ineffective if the user has any technical skill whatsoever. shinyhead:freeradius-server-master arr2036$ ifconfig en0 en0: flags=8863UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=2bRXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4 ether 7c:6d:62:xx:xx:xx shinyhead:freeradius-server-master arr2036$ sudo ifconfig en0 ether 11:22:33:44:55:66 en0: flags=8863UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=2bRXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4 ether 11:22:33:44:55:66 media: autoselect (none) status: inactive -Arran -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Craig Simons Sent: Wednesday, November 14, 2012 1:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eduroam technical questions Our approach is to block MAC addresses of banned machines directly on the switch port using vendor specific features on our switching gear. However, as the Radius requests are still created by your own equipment (which would presumably have MAC address Calling-Station-Id information), you could still reject outer EAP tunnel requests before they are proxied to the user's home institution. - Craig On 2012-11-14, at 12:45 AM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The problem comes in implementing the ban. Some institutions allow an anonymous outer identity for the EAP tunnel, which, so long as it contains enough information for routing can contain an arbitrary user id. You ban one and the user can just change it and still get access. You never get to see the inner id unless the homeserver has been configured to send it back in the Access-Accept. The best solution is to contact the home institution directly and get their guys to ban the user. This will be easier once more institutions have adopted CUI as then there'll be a definitive linking value between a user and a session. Even without CUI it should still be possible to figure out the inner ID using timestamps and attributes included in the authentication request(s), it's just harder to automate the process. If you're using FreeRADIUS you might want to take a look at the example CUI configurations, and implement them at the same time as the your eduroam service. -Arran Ah. You clever fella. Thanks for turning on the light. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C [phan...@utk.edu] Sent: Tuesday, November 13, 2012 10:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eduroam technical questions Lee, Your campus only terminates EAP sessions for YOUR users. For visitors, you take the initial TLS negotiation (with the outer tunnel identity e.g. lhbad...@syr.edu, or anonym...@syr.edu, or @syr.edu ) and you pass it to the top level. You never deal with the EAP-type for visitors. In your RADIUS server you basically have a switch: pass to top level OR terminate locally. Take a look at some config examples: http://www.eduroamus.org/radius_configuration Philippe On Nov 13, 2012, at 10:12 AM, Lee H Badman lhbad...@syr.edu wrote: Thanks, Phillipe- I'm talking more from supplicant config side. So we use Xpressconnect to configure our supplicants to only use MS-CHAPv2 /PEAP while disabling the other EAP types, and in RADIUS only have this single EAP type enabled. So if our Eduraom SSID required this EAP type, and someone showed up and hit our EDUROAAM with their supplicant configured for EAP-TLS for EDUROAM, a reconfiguration would be required, no? Or am I really missing something important? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C [phan...@utk.edu] Sent: Tuesday, November 13, 2012 10:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Eduroam technical questions Lee, eduroam is EAP agnostic. All that the roaming does is pass the initial SSL/TLS tunnel to the home institution. Then in the tunnel, exchanges occur between your device and your home institution So, as long as your institution does a tunneled EAP, your are done. The visited institution has nothing to do with oyur EAP -method. EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work Philippe On Nov 13, 2012, at 9:52 AM, Lee H Badman lhbad...@syr.edu wrote: I have read through the most recent docs, not quite grasping: - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to use, does that exclude
Re: [WIRELESS-LAN] FreeRADIUS performance question
The easiest way to disable the cache is to set the environment variable KRB5RCACHETYPE to none before starting freeradius. The MIT Kerberos software on our RADIUS servers though is so old (v1.3.x) that it didn't support this, so I had to disable it by writing a patch to the source code (in rlm_krb5.c). If you need that, let me know and I can send it. I think KRB5RCACHETYPE appeared in v1.4. We've added an option to disable the cache to rlm_krb5, this will be available in 2.2.0, which should be released ~10/09/12. You will need to add 'cache = no' to your existing krb5 configuration file. In what will become 3.0 this is already set in the default configuration file. Thanks to Shumon Huque for testing. -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] FreeRADIUS performance question
On 23 Aug 2012, at 01:30, Shumon Huque shu...@upenn.edu wrote: Jim, We've been through this, and I'll describe what we did to address it. There are two problems with the freeradius code that cause performance problems with a Kerberos backend: 1) It doesn't disable the replay cache, which isn't needed for password verification operations (as opposed to native Kerberos), and causes an unnecessary performance bottleneck, as every authentication has to compare authenticators against a large cache of recently seen authenticators. The easiest way to disable the cache is to set the environment variable KRB5RCACHETYPE to none before starting freeradius. The MIT Kerberos software on our RADIUS servers though is so old (v1.3.x) that it didn't support this, so I had to disable it by writing a patch to the source code (in rlm_krb5.c). If you need that, let me know and I can send it. I think KRB5RCACHETYPE appeared in v1.4. So an interesting question would be - is anyone actually using EAP-Kerberos? If not, i'll disable caching by default and add a note to the configuration. AFAIK no supplicant has actually implemented any of the client side infrastructure to distribute tickets to other applications. It's annoying, SSO where you got your TGT from an 802.1X authentication would be really neat. 2) Although freeradius is multi-threaded, the Kerberos authentication module is single-threaded. I believe recent versions of both MIT and Heimdal Kerberos libraries are threadsafe, but I don't think the freeradius code has been updated for this. So the only way to scale the performance of the RADIUS infrastructure is to deploy more servers (they don't have to by physical, you can install multiple software instances on the same server if you have extra CPUs or cores). We currently have 8 freeradius servers running on 4 physical servers (2 per box). And we balance the wireless controllers across those. As the university I used to work at, we were handling a similar load with two Xserve G5s, but we were using LDAP and not Kerberos. We actually implemented (1) first, and it instantly fixed the performance problems we were seeing at the time. But we wanted to head off the second problem and stay well ahead of demand, so started deploying multiple freeradius instances per server. One of our staff members is also looking at patching freeradius to multithread the Kerberos bits, but unless the freeradius folks accept those patches and maintain them, we likely won't deploy that option in production. v2.1.x has gone into an unofficial feature freeze for anything not related to DHCP functionality. If you want this code to be included in function releases please submit the patches against the master branch (3.0). If the module uses long lived connection handles, it must use the connection API (src/main/connection.c). rlm_rest, rlm_sql and rlm_ldap2 (still in development) do this already, and all modules will be updated in time. If the patches are well formatted, documented, and non-duplicative we'll almost certainly accept them. -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] FreeRADIUS performance question
Disabling the cache by default would be great. Thanks! EAP-Kerberos doesn't actually exist today as a documented spec - Ah I guess I guess what I read wasn't an official IETF draft (it was years ago and I figured someone might have done something by now). I'm sure that's why there's no client side code. I agree that it would be very nice, not only for the SSO function, but also because it would not be exposing the Kerberos password to the RADIUS servers. Indeed. Many years ago, I tried to drum up interest in developing an EAP-Kerberos spec in the IETF. Ultimately, it didn't go anywhere, but you can read some of the discussion in the following archived thread: http://www.ietf.org/mail-archive/web/secmech/current/msg00041.html Thanks :) 2) Although freeradius is multi-threaded, the Kerberos authentication module is single-threaded. I believe recent versions of both MIT and Heimdal Kerberos libraries are threadsafe, but I don't think the freeradius code has been updated for this. So the only way to scale the performance of the RADIUS infrastructure is to deploy more servers (they don't have to by physical, you can install multiple software instances on the same server if you have extra CPUs or cores). We currently have 8 freeradius servers running on 4 physical servers (2 per box). And we balance the wireless controllers across those. As the university I used to work at, we were handling a similar load with two Xserve G5s, but we were using LDAP and not Kerberos. The LDAP module is multithreaded, right? That would give it an advantage. Yes. One other mistake we made was that our RADIUS server hardware has many cores, but each core itself is quite slow - this was before we found out that the freeradius krb5 module was single threaded. If we'd known that earlier, we'd have instead purchased machines with fewer faster cores. Additionally the control thread is also the only one that can insert packets into the request queue, though any worker can pick requests off it. One of our staff members is also looking at patching freeradius to multithread the Kerberos bits, but unless the freeradius folks accept those patches and maintain them, we likely won't deploy that option in production. v2.1.x has gone into an unofficial feature freeze for anything not related to DHCP functionality. If you want this code to be included in function releases please submit the patches against the master branch (3.0). *future releases Thanks! I'll pass this info along to our team! np -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Radius Load-balancing and Aruba
On 15 May 2012, at 20:05, Michael Hulko wrote: We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication. The foundation is: Citrix Netscalars 9000s Aruba M3 controllers Radiator radius server (currently 3) on a Windows platform. We have been unable to successfully get authentication to work. We are getting Aruba involved, but they do not seem to have an answer yet. Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Um quick check. All the RADIUS packets for an EAP session are going to the same RADIUS server right? AFAIK Radiator doesn't do EAP session state synchronisation, so you have to ensure the entire EAP exchange goes to a single backend server. -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] RADIUS Server preference for 10K+ Client Environments?
+1 for FreeRADIUS ;) -Arran On 1 Nov 2011, at 20:19, Hector J Rios wrote: We've been running FreeRADIUS on freeBSD since 2008 and could not be happier. We authenticate over 12K users per day. We use it only for our wireless network (802.1X/MS-CHAPv2/PEAP). It's fast, it's scalable and best of all, it's free! Thanks, Hector Rios Louisiana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Tuesday, November 01, 2011 1:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] RADIUS Server preference for 10K+ Client Environments? We’re feeling some frustration with our current RADIUS solution (ACS 5, virtual appliances) that are frequently attributed to the size of our client base. (At the same time, the logging and reporting on ACS is among the best I’ve ever seen.) For those of you with large (10,000 + users) RADIUS deployments, what servers are you using and what are your points of pain and/or appreciation? We currently only use the servers in question for wireless client support, doing MS-CHAPv2/PEAP. Regards- Lee Badman Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] iOS devices on wireless
On Jun 27, 2011, at 5:27 PM, Garry Peirce wrote: I'd agree that the protocol should be 'fixed' here and not re-design the underlying network to support a particular service. (note that other service discovery protocols have the same issue - SSDP, WS-Discovery) To that end, I was curious if anyone had tried/is using DNS-SD (unicast) to support Bonjour on wireless - aka 'wide area' Bonjour , whether for static or dynamic services. That would seem to make the most sense. Bonjour as a protocol works great for a small number of devices, or networks with fairly low rate of new connections. One of the nice things about Bonjour is that it will listen passively on the multicast address, and if another client requests all hosts for a particular service, it'll cache the response and not bother asking. Unfortunately if you have lots of new clients coming on and requesting all hosts for a particular service, it can quickly generate large amounts of multicast traffic. I'm not sure there's really a better way for peer based service discovery, which is whats really required in the home environment. Wide Area Bonjour seems to be the solution. Hosts on the network can register themselves with a central service than can be queried by all clients on the network via Unicast. Instructions for setting it up are here http://www.dns-sd.org/ServerSetup.html;. So the grumbling at Apple probably isn't justified. There is a solution out there for entrerprise networks, it just takes a bit of time and effort to set up. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Anyone use CloudPath ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Mike, We've been using it successfully since September, primarily with Windows XP,Vista,7 and Mac OSX 10.4,5,6. The only real issues we had were getting it to work with Apache 1* and SSL (it'd hang attempting to download support files), but since disabling SSL/Moving the resources to an Apache 2 server, it's been fine. Were currently using it to support our Wireless WPA2/AES 802.1X authed network, and our Residential 802.1X authed network; using the Active X/Java Web start feature to launch it from a captive registration portal. Students/Staff/Helpdesk all love it, well worth the investment IMO. - -Arran On 23/11/2009 15:12, Michael Dickson wrote: We're considering Cloudpath XpressConnect to see if this product can assist with client configuration and help us achieve higher user adoption of our 802.1x network. Anyone using XpressConnect successfully? Do you use it for Win and Mac? How is pricing determined for a campus? We're offering 802.1x with TTLS/PAP/AES and use SecureW2 for our Windows users. Adoption rate over our captive portal SSID is going just ok. We are planning a large expansion project and want make getting on 802.1x as easy as possible. Comments, advice, complaints or horror stories appreciated. Reply to me directly if you prefer not to air grievances publicly. Thanks in advance, --Mike Michael Dickson413.545.9639 Network AnalystUniv. of Massachusetts Amherst ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. - -- Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk, Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksKqZAACgkQcaklux5oVKLoKwCeKvQQ/6P2Wc6lK6Xqggw0EEef PisAoIgEZkgM04CaMOVZzUGC3BZzzFGT =T33p -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Anyone use CloudPath ?
On 23/11/2009 19:11, Methven, Peter J wrote: It can reorder preferred networks to ensure the devices connect to the secure one in preference. I've never tried deleting networks from users laptops as I always worry they may object but I believe it can. Yep definitely can. We use it to remove the association for the registration portal WLAN once the users done registering, and any older legacy networks. -Arran ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] configuration script
On 17/6/09 17:00, Lunceford, Dan wrote: I'd love to see it. Thanks so much for sharing. Second that ! Cheers, Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] configuration script
Brian Beausoleil wrote: Perhaps a link distributed would be helpful to anyone else wanting to see the source code? I know I would also like to see the code. It'd also be very useful if it could be released under one of the open source licenses like GPLv3. Then we can include it in our own projects without legal ramifications. Thanks, Arran Thanks for making it available to us. Brian Beausoleil - Network Administrator Office of Information Technology SOUTHERN CT STATE UNIVERSITY beausolei...@southernct.edu Work: (203) 392-6109 Fax: (203) 392-6711 On 6/17/09 12:37 PM, Caroline Owens ow...@sju.edu wrote: Make that one more for seeing the source code... thanks for sharing this Chris! Caroline Owens Networking and Telecommunications Saint Joseph's University Chris Brauchli wrote: Here at Williams we wrote an in-house solution based on the Native WiFi API (http://msdn.microsoft.com/en-us/library/ms706556(VS.85).aspx http://msdn.microsoft.com/en-us/library/ms706556%28VS.85%29.aspx http://msdn.microsoft.com/en-us/library/ms706556%28VS.85%29.aspx http://msdn.microsoft.com/en-us/library/ms706556%28VS.85%29.aspx%3E) that is doing the job well so far. If anybody wants to see the source code, feel free to email me and I'l happily share it. The nice thing about this solution is that it deletes saved credentials and sets up the 802.1X network for the user. Also, since it's based on Microsoft's provided API, it's likely to continue working for a while. It works on XP SP2 with the Wireless LAN API up. Chris Brauchli ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. signature.asc Description: OpenPGP digital signature
Re: [WIRELESS-LAN] Wireless Printers on 802.1x Network
On 8/6/09 19:48, Lee H Badman wrote: Thanks, Arran. I did pick apart a Dell 5210n this morning that looked hopeful- but regardless of what you configured it refused to functionally do anything beyond LEAP. Sigh... Oh dear... if you're going to implement anything LEAP is *not* the one to go for. Suppose you've applied all the latest F/W updates etc ? It's nice that these vendors are taking the time to implement WPA-Enterprise on their latest products... if only they could actually get it right. Worst comes to the worst you could always look into wireless client bridges. Get them to connect on behalf of the printers then just run ethernet. Arran Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Arran Cudbard-Bell Sent: Monday, June 08, 2009 2:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Printers on 802.1x Network Hi Lee, Given that we are running 802.1x PEAP w/ MS-CHAPv2, WPA/TKIP on main prod wireless network, has anyone with same network setup found a wireless printer that will work as a client device? Looking for real examples of functional printers- several wireless printers look potentially good until you go to set them up. If you know of any the work in the real world (with 802.1x PEAP w/ MS-CHAPv2, WPA/TKIP) the information would have great value. Only negative information i'm afraid. Last time I checked the HP JetDirect supplicant was running something that claimed to be PEAPv0 (had the PEAPv0 flag), but acted more like PEAPv1 (including full EAP headers in the inner tunnel). Our RADIUS servers (FreeRADIUS 2.*) categorically refused to authenticate these devices (because of the additional headers in the inner tunnel), and i've heard reports that IAS rejects them as well. This was on wired, but the supplicant is probably the same for both wired and wireless interfaces (it'd make no sense implementing EAP twice). Regards, Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.